aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--boot.php44
-rw-r--r--mod/dfrn_request.php11
2 files changed, 50 insertions, 5 deletions
diff --git a/boot.php b/boot.php
index 30a8b2441..b69502ef2 100644
--- a/boot.php
+++ b/boot.php
@@ -782,16 +782,54 @@ function get_uid() {
}}
if(! function_exists('validate_url')) {
-function validate_url($url) {
+function validate_url(&$url) {
if(substr($url,0,4) != 'http')
$url = 'http://' . $url;
$h = parse_url($url);
- if(! $h)
+ if(! $h) {
return false;
- if(! checkdnsrr($h['host'], 'ANY'))
+ }
+ if(! checkdnsrr($h['host'], 'ANY')) {
return false;
+ }
return true;
}}
+if(! function_exists('allowed_url')) {
+function allowed_url($url) {
+
+ $h = parse_url($url);
+
+ if(! $h) {
+ return false;
+ }
+
+ $str_allowed = get_config('system','allowed_sites');
+ if(! $str_allowed)
+ return true;
+
+ $found = false;
+
+ $host = strtolower($h['host']);
+
+ // always allow our own site
+
+ if($host == strtolower($_SERVER['SERVER_NAME']))
+ return true;
+
+ $fnmatch = function_exists('fnmatch');
+ $allowed = explode(',',$str_allowed);
+
+ if(count($allowed)) {
+ foreach($allowed as $a) {
+ $pat = strtolower(trim($a));
+ if(($fnmatch && fnmatch($pat,$host)) || ($pat == $host)) {
+ $found = true;
+ break;
+ }
+ }
+ }
+ return $found;
+}}
diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php
index 617d4b2d8..a22492fe6 100644
--- a/mod/dfrn_request.php
+++ b/mod/dfrn_request.php
@@ -134,7 +134,7 @@ function dfrn_request_post(&$a) {
// invalid/bogus request
- notice( t("Unrecoverable protocol error.") . EOL );
+ notice( t('Unrecoverable protocol error.') . EOL );
goaway($a->get_baseurl());
return; // NOTREACHED
}
@@ -219,7 +219,14 @@ function dfrn_request_post(&$a) {
goaway($a->get_baseurl() . '/' . $a->cmd);
return; // NOTREACHED
}
+
+ if(! allowed_url($url)) {
+ notice( t('Disallowed profile URL.') . EOL);
+ goaway($a->get_baseurl() . '/' . $a->cmd);
+ return; // NOTREACHED
+ }
+
require_once('Scrape.php');
$parms = scrape_dfrn($url);
@@ -301,7 +308,7 @@ function dfrn_request_post(&$a) {
// This notice will only be seen by the requestor if the requestor and requestee are on the same server.
if(! $failed)
- notice( t("Your introduction has been sent.") . EOL );
+ notice( t('Your introduction has been sent.') . EOL );
// "Homecoming" - send the requestor back to their site to record the introduction.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 01:10:48 +0000